项目作者: dockpack

项目描述 :
▦ An Ansible role to harden SSH on Centos 7.
高级语言: HCL
项目地址: git://github.com/dockpack/secure_ssh.git
创建时间: 2019-07-06T18:44:59Z
项目社区:https://github.com/dockpack/secure_ssh

开源协议:

下载


Hardened SSH

Galaxy
Build Status

An Ansible role to harden SSH on Centos 7 with several options, like using a trusted CA.

This role is based on insights gained working with DISA-STIG, CIS, USG, NCSC, NIST, PCI, and other security norms. After scanning with openscap, I audited my server using the SSH Observatory of Mozilla, and finally with ssh-audit. I can still connect to Centos 7 with macOS Mojave.

I can run port forwarding, X11Forwarding, but an incredible amount of options is configurable.

License: MIT

Key Management Requires Attention

distribute_ssh_keys: true
In any larger organization, use of SSH key management solutions is almost
necessary. SSH keys should also be moved to root-owned locations with proper provisioning and termination processes. Users will not be able to modify their
pubkey because the immutable file attribute is set.

AuthorizedKeysFile: '/etc/ssh/authorized_keys/%u'

Hashicorp Vault

This role can be used to manage access to SSH by the means of signed ssh keys,
and to sftp with OTP.

Signed SSH keys

See SECURITY.md

To manage groups without IAM, LDAP, AD.

manage_ssh_groups: true # Default is false.

Creates groups for various purposes.

  1. ssh_groups:
  2. with_items:
  3. - wheel
  4. - staff
  5. - users
  6. - games
  7. - chroot

Manage users without IAM, LDAP, AD.

manage_ssh_users: true # Default is false.
Adds all users in ‘ssh_users:’ removes all ‘non_users:’
Check the defaults/main.yml

  1. ssh_users:
  2. - username: vagrant
  3. shell: /bin/bash
  4. group: wheel
  5. seuser: unconfined_u

The seuser property of a user helps to confine users to policy classes

semanage_ssh_users: true

There are five main SELinux seuser values:

  • guest_u: - no X windows, no sudo, and no networking
  • xguest_u: - same as guest_u, but X and web connectivity is allowed
  • user_u: - same as xguest_u, but networking isn’t restricted
  • staff_u: - same as user_u, but sudo is allowed (su isn’t allowed)
  • unconfined_u: - full access

Fail2ban

Some commands to verify the config. Hackers show up in /var/log/secure.

  1. firewall-cmd --list-rich-rules
  2. ipset list fail2ban-sshd
  3. firewall-cmd --ipset=fail2ban-sshd --add-entry=222.186.52.124
  4. ipset add fail2ban-sshd 112.85.42.237timeout 86400 -exist
  5. fail2ban-client status sshd

45.55.176.164 The Mozilla SSH Observatory scans from sshscan.rubidus.com at 45.55.176.164.